Page 2 of 4 FirstFirst 1234 LastLast
Results 11 to 20 of 35

Thread: No access to Internet Options, connectivity problem, and other problems

  1. #11
    Member
    Join Date
    Nov 2008
    Location
    U.S.
    Posts
    40

    Default

    ...this post is to finish responding to your most recent instructions, as my last post got too near the maximum characters.

    5. Extras.txt.

    OTL Extras logfile created on: 12/11/2011 11:06:22 AM - Run 1
    OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\user\Desktop
    Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.6001.18702)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    2.00 Gb Total Physical Memory | 1.42 Gb Available Physical Memory | 71.15% Memory free
    3.85 Gb Paging File | 3.27 Gb Available in Paging File | 85.08% Paging File free
    Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 148.93 Gb Total Space | 117.29 Gb Free Space | 78.75% Space Free | Partition Type: NTFS
    Drive D: | 559.46 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

    Computer Name: USER-PC | User Name: user | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users
    Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

    ========== Extra Registry (SafeList) ==========


    ========== File Associations ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
    .cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

    [HKEY_USERS\S-1-5-21-1708537768-839522115-1644491937-1003\SOFTWARE\Classes\<extension>]
    .html [@ = htmlfile] -- Reg Error: Key error. File not found

    ========== Shell Spawning ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
    exefile [open] -- "%1" %*
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1"
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Directory [MediaMonkey.1Play] -- "C:\Program Files\MediaMonkey\MediaMonkey.exe" "%1" (Ventis Media Inc.)
    Directory [MediaMonkey.2PlayNext] -- "C:\Program Files\MediaMonkey\MediaMonkey.exe" /NEXT "%1" (Ventis Media Inc.)
    Directory [MediaMonkey.3Enqueue] -- "C:\Program Files\MediaMonkey\MediaMonkey.exe" /ADD "%1" (Ventis Media Inc.)
    Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
    Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
    Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    ========== Security Center Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "FirstRunDisabled" = 1
    "AntiVirusDisableNotify" = 0
    "FirewallDisableNotify" = 0
    "UpdatesDisableNotify" = 0
    "AntiVirusOverride" = 0
    "FirewallOverride" = 0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

    ========== System Restore Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
    "DisableSR" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
    "Start" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
    "Start" = 2

    ========== Firewall Settings ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "EnableFirewall" = 0
    "DisableNotifications" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
    "1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
    "2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008

    ========== Authorized Applications List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


    ========== HKEY_LOCAL_MACHINE Uninstall List ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{055EE59D-217B-43A7-ABFF-507B966405D8}" = ATI Catalyst Control Center
    "{058B32E2-6310-4359-B2D4-1988390C3B83}" = Broadcom Advanced Control Suite
    "{06A90A28-39A7-641D-1777-EEC4FCD37148}" = CCC Help German
    "{0DE4D7E2-2BB6-0C34-079C-2174F2FB1754}" = Skins
    "{12E763EC-DB68-3A23-6D6F-0BF9CE7A4C55}" = Catalyst Control Center Graphics Full New
    "{146E4151-3CDB-6635-776A-87019FB5DDD4}" = Catalyst Control Center Graphics Light
    "{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    "{26A24AE4-039D-4CA4-87B4-2F83217001FF}" = Java(TM) 7 Update 1
    "{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
    "{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
    "{57752979-A1C9-4C02-856B-FBB27AC4E02C}" = QuickTime
    "{612C34C7-5E90-47D8-9B5C-0F717DD82726}" = swMSM
    "{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
    "{763EA1A1-2B40-E43E-11F3-0F332644CA8B}" = Catalyst Control Center Graphics Full Existing
    "{786D6B8A-E4E6-E457-C302-2FAA028570ED}" = ccc-core-preinstall
    "{824A5A2C-0C30-529E-3842-745B57EAD3F3}" = ccc-utility
    "{849D3A6B-736F-652B-0C33-A52A39E645ED}" = Catalyst Control Center Core Implementation
    "{84A4274F-FA55-6B07-2DAD-735D923E7A94}" = CCC Help Turkish
    "{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}" = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
    "{86EB9D10-657B-955C-BB7E-9EA97871BA79}" = CCC Help Chinese Standard
    "{87D76335-6ED0-41DE-404E-65218CADE654}" = CCC Help Japanese
    "{8C359752-1032-767B-B9C9-AA523A03779A}" = CCC Help English
    "{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
    "{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
    "{9319D53F-A5D7-384F-BBC8-935C5A49595C}" = CCC Help Chinese Traditional
    "{9370A8CE-2DD8-3DAA-71FA-DB65B50DEB10}" = CCC Help Portuguese
    "{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    "{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
    "{A7DFAB44-4FEF-E98A-5311-5B4679FD5B99}" = CCC Help Italian
    "{A9744990-2B78-4D33-3238-54F2723990E6}" = Catalyst Control Center Graphics Previews Common
    "{B1A5C653-F1C5-DB2F-4519-BDDDD2B3C144}" = ccc-core-static
    "{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
    "{B7F54262-AB66-44B3-88BF-9FC69941B643}" = Broadcom Gigabit Integrated Controller
    "{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
    "{C2561DC1-1F1C-2657-53FF-DF1F91B3DEB3}" = CCC Help Korean
    "{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
    "{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
    "{CF101D4A-E149-7A06-C59F-73DBA726991A}" = CCC Help Spanish
    "{E481DB0E-52F2-4EE0-9BDA-9EE173FA6EA2}" = Catalyst Control Center - Branding
    "{E795D604-32D8-03F2-0A5B-B2350747934F}" = CCC Help French
    "{E90C87F7-8167-FDF4-0444-960FE6473100}" = Catalyst Control Center Localization All
    "{EE6097DD-05F4-4178-9719-D3170BF098E8}" = Apple Application Support
    "{EFDB5A5D-9A06-023E-574B-9CB3C25CE7B8}" = CCC Help Hungarian
    "{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
    "Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
    "Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
    "Adobe Shockwave Player" = Adobe Shockwave Player 11.6
    "All ATI Software" = ATI - Software Uninstall Utility
    "ATI Display Driver" = ATI Display Driver
    "Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus
    "Creative PD0630" = Creative WebCam Live! Driver (1.02.03.0606)
    "ERUNT_is1" = ERUNT 1.1j
    "Foxit Reader" = Foxit Reader
    "ie8" = Windows Internet Explorer 8
    "InterActual Player" = InterActual Player
    "IrfanView" = IrfanView (remove only)
    "Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware version 1.51.2.1300
    "MediaMonkey_is1" = MediaMonkey 3.2
    "Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
    "Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
    "MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
    "OnlineArmor_is1" = Online Armor 4.0
    "SpywareBlaster_is1" = SpywareBlaster 4.5
    "vamps" = vampsスクリーンセーバー
    "VLC media player" = VLC media player 1.1.11
    "Windows Media Format Runtime" = Windows Media Format 11 runtime
    "Windows Media Player" = Windows Media Player 11
    "WinRAR archiver" = WinRAR 4.00 beta 3 (32-bit)
    "WMFDist11" = Windows Media Format 11 runtime
    "wmp11" = Windows Media Player 11
    "Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

    ========== Last 10 Event Log Errors ==========

    [ Application Events ]
    Error - 12/5/2011 2:23:29 PM | Computer Name = USER-PC | Source = Windows Search Service | ID = 3058
    Description = The application cannot be initialized. Context: Windows Application
    Details:
    The
    content index metadata cannot be read. (0xc0041801)

    Error - 12/5/2011 2:44:02 PM | Computer Name = USER-PC | Source = JavaQuickStarterService | ID = 1
    Description =

    Error - 12/5/2011 2:44:10 PM | Computer Name = USER-PC | Source = Windows Search Service | ID = 7040
    Description = The search service has detected corrupted data files in the index.
    The service will attempt to automatically correct this problem by rebuilding the
    index. Context: Windows Application, SystemIndex Catalog Details: 0xc0041801 (0xc0041801)

    Error - 12/5/2011 2:44:10 PM | Computer Name = USER-PC | Source = Windows Search Service | ID = 3029
    Description = The plug-in in <Search.TripoliIndexer> cannot be initialized. Context:
    Windows Application, SystemIndex Catalog Details: The content index cannot be read.
    (0xc0041800)

    Error - 12/5/2011 2:44:10 PM | Computer Name = USER-PC | Source = Windows Search Service | ID = 3028
    Description = The gatherer object cannot be initialized. Context: Windows Application,
    SystemIndex Catalog Details: The content index cannot be read. (0xc0041800)

    Error - 12/5/2011 2:44:10 PM | Computer Name = USER-PC | Source = Windows Search Service | ID = 3058
    Description = The application cannot be initialized. Context: Windows Application
    Details:
    The
    content index cannot be read. (0xc0041800)

    Error - 12/6/2011 9:06:09 AM | Computer Name = USER-PC | Source = Avira AntiVir | ID = 4118
    Description = EXCEPTION calling function <Scan> for the file C:\Documents and Settings\user\My
    Documents\My Pictures\hyde DVD's 11-09-2011\hyde DVD purchases - photos\hyde Faith
    discs - bits of something sticky on each 1 IM000599.jpg [ACCESS_VIOLATION Exception!!
    EIP = 0x1b73952] Please inform Avira and submit the appropriate file!

    Error - 12/7/2011 4:31:50 PM | Computer Name = USER-PC | Source = Windows Search Service | ID = 3024
    Description = The update cannot be started because the content sources cannot be
    accessed. Fix the errors and try the update again. Context: Application, SystemIndex
    Catalog

    Error - 12/8/2011 2:42:37 PM | Computer Name = USER-PC | Source = Avira AntiVir | ID = 4118
    Description = EXCEPTION calling function <Scan> for the file C:\Documents and Settings\user\My
    Documents\My Pictures\hyde DVD's 11-09-2011\hyde DVD purchases - photos\Heather
    Briefman hyde DVD's purchase - before opening - pressure from shipping IM000560.jpg
    [ACCESS_VIOLATION Exception!! EIP = 0x1b73952] Please inform Avira and submit the
    appropriate file!

    Error - 12/11/2011 2:07:34 PM | Computer Name = USER-PC | Source = ESENT | ID = 490
    Description = svchost (876) An attempt to open the file "C:\WINDOWS\system32\CatRoot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb"
    for read / write access failed with system error 32 (0x00000020): "The process
    cannot access the file because it is being used by another process. ". The open
    file operation will fail with error -1032 (0xfffffbf8).

    [ System Events ]
    Error - 12/11/2011 1:40:00 PM | Computer Name = USER-PC | Source = atapi | ID = 262153
    Description = The device, \Device\Ide\IdePort1, did not respond within the timeout
    period.

    Error - 12/11/2011 1:40:32 PM | Computer Name = USER-PC | Source = atapi | ID = 262153
    Description = The device, \Device\Ide\IdePort1, did not respond within the timeout
    period.

    Error - 12/11/2011 1:40:32 PM | Computer Name = USER-PC | Source = atapi | ID = 262155
    Description = The driver detected a controller error on \Device\Ide\IdePort1.

    Error - 12/11/2011 1:41:57 PM | Computer Name = USER-PC | Source = atapi | ID = 262153
    Description = The device, \Device\Ide\IdePort1, did not respond within the timeout
    period.

    Error - 12/11/2011 1:42:15 PM | Computer Name = USER-PC | Source = atapi | ID = 262153
    Description = The device, \Device\Ide\IdePort1, did not respond within the timeout
    period.

    Error - 12/11/2011 1:43:19 PM | Computer Name = USER-PC | Source = atapi | ID = 262153
    Description = The device, \Device\Ide\IdePort1, did not respond within the timeout
    period.

    Error - 12/11/2011 1:43:27 PM | Computer Name = USER-PC | Source = atapi | ID = 262153
    Description = The device, \Device\Ide\IdePort1, did not respond within the timeout
    period.

    Error - 12/11/2011 1:45:39 PM | Computer Name = USER-PC | Source = atapi | ID = 262153
    Description = The device, \Device\Ide\IdePort1, did not respond within the timeout
    period.

    Error - 12/11/2011 1:51:06 PM | Computer Name = USER-PC | Source = atapi | ID = 262153
    Description = The device, \Device\Ide\IdePort1, did not respond within the timeout
    period.

    Error - 12/11/2011 2:20:37 PM | Computer Name = USER-PC | Source = atapi | ID = 262153
    Description = The device, \Device\Ide\IdePort1, did not respond within the timeout
    period.


    < End of report >

    It seems like a lot of work, reviewing this! Thanks for your efforts.

  2. #12
    Emeritus- Malware Team
    Join Date
    Aug 2011
    Posts
    148

    Default

    Hi I_dream_of_Mercury,

    Thank you for the logs and feedback.

    Again, please remember to read the instructions below carefully before executing and perform the steps, in the order given.
    If you have any questions about or problems executing these instructions, <STOP> do not proceed, post back with the question or problem before going any further.

    Before we proceed please make sure any open programs are closed.

    Step 1:
    Program Query:

    Are you aware of having installed the following program?
    vampsƒXƒNƒŠーƒ“ƒZーƒoー
    If so, please clarify what the program is used for.

    Step 2:
    Reset IE8:

    • Please download Microsoft FixIt and save it to the desktop.
    • Double-click on MicrosoftFixit50195.exe select I Agree and click on Next.
    • Follow the on-screen prompts.
    • You may delete MicrosoftFixit50195.exe when finished and or keep it if any problems in the future with IE8.
    • Next time IE8 is launched you will be prompted to reapply settings again, this is normal.

    Please Note: Any add-ons will require to be reapplied after the above reset.

    Step 3:
    OTL - Script

    Next we need to run an OTL script.

    Please temporarily disable your Anti-virus real-time protection. If active, it could impact the online scan. Refer to This Howto Topic, if necessary.

    1. Double-click on OTL.exe to launch the program.
    2. Copy and Paste the following code into the textbox. Do not include the word Code.
      Code:
      :OTL
      O4 - HKLM..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" File not found
      O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Restrictions present
      O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Restrictions present
      O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Restrictions present
      O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Restrictions present
      O7 - HKU\S-1-5-21-1708537768-839522115-1644491937-1003\Software\Policies\Microsoft\Internet Explorer\Restrictions present
      @Alternate Data Stream - 88 bytes -> C:\Documents and Settings\user\Desktop\avira_antivir_personal_en.exe:SummaryInformation
      @Alternate Data Stream - 104 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34
      [3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
      [152 C:\WINDOWS\System32\dllcache\*.tmp files -> C:\WINDOWS\System32\dllcache\*.tmp -> ]
      [137 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
      
      :Files
      ipconfig /flushdns /c
      
      :Commands
      [PURITY]
      [emptyjava]
      [EMPTYTEMP]
      [RESETHOSTS]
      [CREATERESTOREPOINT]
    3. Then click the Run Fix button at the top.
    4. Click on the OK button.
    5. OTL may ask to reboot the machine. Please do so if asked.
    6. The report should appear in Notepad after the reboot.
    7. Please Copy and Paste the contents of that report into your next reply.

    Step 4:
    Check Hard Disk For Errors

    1. Click on Start and select Run.
    2. Then Copy and Paste the following command into the box and then click on the OK button:
      Code:
      cmd /c chkdsk c: |find /v  "percent" >> "%userprofile%\desktop\checkhd.txt"
      A blank command window will open on your Desktop, then close in a few minutes. This is normal.
    3. A file and icon named checkhd.txt should appear on your Desktop.
    4. Please Copy and Paste the contents of the checkhd.txt file into your next reply.

    Step 5:
    Include in Next Post

    1. Did you have any problems carrying out the instructions?
    2. Are you aware of having installed the program: vamps? If so, please clarify what the program is used for.
    3. OTL.txt.
    4. checkhd.txt.
    5. How is the computer now running?

    Scolabar
    --------------------------------------------------------------------------
    No Reply Within 3 Days Will Result In Your Topic Being Closed
    Last edited by Scolabar; 2011-12-12 at 20:11.
    Malware Removal University - You too could train to help others

  3. #13
    Member
    Join Date
    Nov 2008
    Location
    U.S.
    Posts
    40

    Default

    Scolabar, hi!

    I've just tried running Microsoft Fixit, and the message says, "This Microsoft Fix it failed to process."

    I was careful to follow your instructions. I saved Microsoft Fixit from the link, onto my desktop. With all programs closed, including disabling security software, I double-clicked on the icon on the desktop, checked I agree, then clicked Next. A screen came up saying it was processing this Microsoft Fixit, and when the processing was done, it went to the screen that says, "This Microsoft Fix it failed to process." I tried it three times.

    I'm wondering if this has anything to do with how my user profiles are set up, or how they're set up in relationship to each other. The profile I normally use has administrative rights. Microsoft says that if you can bring up Date and Time Properties controls, you have administrative rights, and I can do that, in this profile. If I add favorites or settings to my regular user profile, those favorites or settings don't show up in the Administrator's IE - should they?

    So, for example, if my current user profile has administrative rights, do I need to ask it to "Run as the Administrator," when running Microsoft Fixit? And if I ask it to run as the Administrator, will that be a problem, since last I checked, the Administrator had lost connectivity to the Internet in Safe Mode?

    I wondered about the profiles being at issue previously, when I tried to update from IE8 to a newer version of IE8, and it hung at the point in the process where it applied personal preferences If I recall correctly, it wanted me to run the update as the Administrator, but of course I was normally using IE as another user, and could only log on as Administrator in Safe Mode. So I wondered if IE got confused about applying another user profile's preferences to the IE update, when the update was originally run as the Administrator.

    ha, But maybe I'm totally off about all that!

    Please advise how I should proceed, next. Thank you for your continued help!


    And here's the answer to
    Step 1:
    Program Query:

    "Are you aware of having installed the following program?
    vampsスクリーンセーバー"
    This is a screensaver, and the origin is Japanese. The characters after the word "vamps" I presume are substitutes for Japanese characters, because somehow the program name didn't convert to the correct font.

    I notice that it doesn't display by that name, vampsスクリーンセーバー , anymore. The screensaver itself, now is just "vamps.scr" - or whatever the screensaver file type is. I may have renamed it from the file name you're quoting, but I'm not sure - this also may have been the name of the installer. I hope it's not causing any problems, because I'd like to keep it, if it's not harmful.

  4. #14
    Emeritus- Malware Team
    Join Date
    Aug 2011
    Posts
    148

    Default

    Hi I_dream_of_Mercury,

    Thank you for the feedback and the information about the vamps program. :thumbright:

    Regarding your questions relating to your user profiles, you should be running all the instructions I am providing from within your account that has administrative privileges.

    Quote Originally Posted by I_dream_of_Mercury
    If I add favorites or settings to my regular user profile, those favorites or settings don't show up in the Administrator's IE - should they?
    No, they will only be available in your regular user profile.

    Quote Originally Posted by I_dream_of_Mercury
    I wondered about the profiles being at issue previously, when I tried to update from IE8 to a newer version of IE8, and it hung at the point in the process where it applied personal preferences If I recall correctly, it wanted me to run the update as the Administrator, but of course I was normally using IE as another user, and could only log on as Administrator in Safe Mode. So I wondered if IE got confused about applying another user profile's preferences to the IE update, when the update was originally run as the Administrator.
    If you have multiple user accounts on your system, you should log out of all accounts, log back in to an account with administrative privileges in order to carry out any program installations and/or system and program updates.

    Please Confirm: Is this Before IE8 update KB2586448 10-13-2011 the point after which you started experiencing problems with IE and accessing the Internet Options?

    Next, please make sure Spybot's TeaTimer is disabled and then try running the instructions again.
    If that does not work, please let me know and we will try a different tack.

    Scolabar
    --------------------------------------------------------------------------
    No Reply Within 3 Days Will Result In Your Topic Being Closed
    Malware Removal University - You too could train to help others

  5. #15
    Member
    Join Date
    Nov 2008
    Location
    U.S.
    Posts
    40

    Default

    Hi,

    As confirmed in my last post, I've already performed these instructions.

    I disabled security software, per your previous instructions (disabled Tea Timer, Avira Antivir Guard, and Online Armor's Program Guard, HIPS features, and the firewall, did not disable SpywareBlaster), and ran the Microsoft Fixit from the desktop, while in a user account with administrative privileges. I tried this several times.

    I log into one user account, on the Welcome/login screen, so there's just one user account logged in, unless something needs to be done about the ASP.NET user account or the account named Administrator.

    After receiving your most recent message, I did look online, trying to see if I needed to do anything with the ASP.NET user account. In case it made any difference, I enabled automatic login, by running "control userpasswords2" and unchecking "Users must enter a user name and password to use this computer" option.

    I logged out and back in, made sure the security software was still disabled, and tried to run Microsoft Fixit three more times. As before, "This Microsoft Fixit failed to process."


    You asked: Please Confirm: Is this Before IE8 update KB2586448 10-13-2011 the point after which you started experiencing problems with IE and accessing the Internet Options?

    I'm not sure of your question. Did the problems with IE and accessing Internet Options start after that 10-13-2011 update?

    I'm sorry to say I don't know the exact order of some of these events.

    I don't know when my system first lost access to Internet Options. (I first discovered it Dec. 4, as I mentioned.) I do use Internet Options occasionally, and I'd be surprised if it was almost 2 months before I noticed that I couldn't access it, especially because I tried updating IE8 itself, at the time of the 10-13 update, and I would think that would have caused me to open Internet Options at least once, after the update failed to complete, just to check things. But I'm not certain.

    I tried to update IE8 twice, within the past few months. I'm not sure if 10-13 was the first or second time. I normally keep notes on such things, but all I can find right now, are some favorites I created on 10-12 and 10-13, trying to find out how to solve the problem with IE8 update's behavior. I see that problems created by updating IE8 are pretty common.

    Both times, the update appeared to install, IE updater restarted the computer, and at the beginning of start up, when it tried to apply personal preferences to IE, it continued to run indefinitely, and would never complete. I had to turn the computer off manually and restart, to get back in.


    Some other small changes I've noticed very recently, but hadn't thought to mention:

    I can no longer drag and drop highlighted text, when entering text online, as with online email or entering this message. Normally, I can, but recently I have to cut and paste. This might have developed right after the 10-13 update, but again, I'm not sure.

    Often, recently, when I go to save something, the computer plays that sort of "plunk" sound, as if you did something wrong. It does still let me save.

    Often, recently, between one and three of the images on a page won't load. It's not that the images are too heavy. Even if they're thumbnail size and the rest of the page loads quickly, I often have to refresh the page one or more times, in order for all the images to load. This is a new development. This might have started with my latest update of Flash player, though.

    Launching programs and performing most actions has slowed, not extremely but noticeably.

    In the past few days, since working on the computer, sometimes computer sounds such as the Windows music played at start up, is sputtering, not playing smoothly.


    I notice that in some of your new instructions, you mention the Java updater. I don't know if it's related to this, but to let you know, I intentionally turned off the Java auto updater. I'd read that Java had been bundling third party stuff in their automatic updates, so that users didn't get a chance to refuse them, and also that the automatic updater was presenting a security vulnerability, so I've been just checking for updates every few weeks and updating manually. I'll follow whatever instructions you have, I just wanted to let you know why that's not enabled.

    Thanks very much for your continued help. I'll be checking back for new instructions.

  6. #16
    Emeritus- Malware Team
    Join Date
    Aug 2011
    Posts
    148

    Default

    Hi I_dream_of_Mercury,

    Thank you for the feedback and patience.

    I needed to make sure that TeaTimer had not been re-enabled and was preventing the running of the Microsoft Fixit tool.
    Thank you for the confirmation. :thumbright:

    Quote Originally Posted by I_dream_of_Mercury
    In case it made any difference, I enabled automatic login, by running "control userpasswords2" and unchecking "Users must enter a user name and password to use this computer" option.
    I would strongly advise that you revert this change, if you haven't already done so.

    OK, let's try a different approach.

    Again, please remember to read the instructions below carefully before executing and perform the steps, in the order given.
    If you have any questions about or problems executing these instructions, <STOP> do not proceed, post back with the question or problem before going any further.

    Before we proceed please make sure any open programs are closed.

    Step 1:
    ComboFix

    Do NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert. It is a powerful tool intended by its creator to be used under the guidance and supervision of an expert, NOT for general public or personal use. Using this tool incorrectly could lead to serious problems with your operating system such as preventing it from ever starting again. This site, sUBs and myself will not be responsible for any damage caused to your machine by misusing or running ComboFix on your own.
    You will not have Internet access when you execute ComboFix. All open windows will need to be closed!

    1. Please download ComboFix.exe by ゥ sUBs and save it to your Desktop. <<--- IMPORTANT!!
      Alternate download site is available here.
    2. Please disable any Anti-Virus, Anti-Spyware and Firewall programs you have active, as shown in this topic. Please close all open application windows.
      Note: ** Only ** when the above two items in Step 2 have been dealt with should you proceed with the following steps:
    3. Double-click on Combofix.exe to start the program. If you receive the "Open File - Security Warning" message, click on the Run button.
    4. Reply Yes to the Disclaimer prompt.
      The ComboFix program screen will then appear, indicating the program is preparing to run. ComboFix will then by begin creating a System Restore Point and then backup your Registry.
    5. With malware infections being as they are today, it is strongly recommended to have Microsoft Windows Recovery Console installed on your computer before attempting any malware removal. This will allow the computer to be booted up into a special recovery/repair mode that will provide the ability to recover the situation should your computer encounter a problem after an attempted removal of malware.
    6. Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

      **Please Note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    7. Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
    8. Then click on the Yes button to continue.
      Note: Do Not use your keyboard or mouse click anywhere in the ComboFix window, as this may cause the program to stall or crash!
    9. When the program has finished ComboFix will produce a log file called combofix.txt which will automatically open in Notepad.
    10. Please Copy and Paste the entire contents of the combofix.txt file into your next reply.

    ** REMEMBER ** Re-Enable your Anti-Virus, Anti-Spyware and Firewall programs before reconnecting to the Internet!

    Step 2:
    Include in Next Post

    1. Did you have any problems carrying out the instructions?
    2. combofix.txt.
    3. How is the computer now running?


    Scolabar
    --------------------------------------------------------------------------
    No Reply Within 3 Days Will Result In Your Topic Being Closed
    Malware Removal University - You too could train to help others

  7. #17
    Member
    Join Date
    Nov 2008
    Location
    U.S.
    Posts
    40

    Default

    Thanks for your continued support!

    1. Did you have any problems carrying out the instructions?

    The instructions were clear and easy to follow, except that I notice that this info, http://www.techsupportforum.com/foru...ns-490111.html, differs somewhat from this info, http://www.bleepingcomputer.com/forums/topic114351.html , regarding what痴 required in order to disable Spybot S&D.

    By the way, I did try disabling it by the instructions at the second link, and tried again, to run Microsoft Fixit, before running ComboFix, but it still didn稚 process.

    ComboFix was easier to run than I expected.



    2. combofix.txt:

    ComboFix 11-12-13.03 - user 12/14/2011 12:24:01.1.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1472 [GMT -8:00]
    Running from: c:\documents and settings\user\Desktop\ComboFix.exe
    AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
    FW: Online Armor Firewall *Disabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\All Users\Application Data\TEMP
    c:\documents and settings\user\Recent\Thumbs.db
    c:\program files\Internet Explorer\SET4.tmp
    c:\program files\Internet Explorer\SET5.tmp
    c:\program files\Internet Explorer\SET6.tmp
    c:\program files\Internet Explorer\SET6C.tmp
    c:\program files\Internet Explorer\SET6D.tmp
    c:\program files\Internet Explorer\SET7.tmp
    c:\program files\Internet Explorer\SET8.tmp
    c:\program files\Internet Explorer\SET9.tmp
    c:\windows\CSC\d6
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-11-14 to 2011-12-14 )))))))))))))))))))))))))))))))
    .
    .
    2011-12-06 18:56 . 2011-12-06 18:58 -------- d-----w- c:\program files\ERUNT
    2011-12-01 13:38 . 2011-12-05 18:20 -------- d-----w- c:\program files\SpywareBlaster(2)
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-12-06 00:39 . 2010-05-02 18:06 544656 ----a-w- c:\windows\system32\deployJava1.dll
    2011-11-01 19:32 . 2011-11-01 19:31 69792 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-11-01 19:32 . 2011-11-01 19:31 417952 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    2011-10-21 15:30 . 2011-03-10 04:49 516692 ----a-w- c:\windows\vampsUninst.exe
    2011-10-21 15:30 . 2011-03-10 04:49 1903021 ----a-w- c:\windows\vamps.scr
    2011-10-10 14:22 . 2009-08-14 01:37 692736 ----a-w- c:\windows\system32\inetcomm.dll
    2011-09-28 07:06 . 2008-04-14 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
    2011-09-26 18:41 . 2008-07-30 02:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
    2011-09-26 18:41 . 2008-04-14 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll
    2011-09-26 18:41 . 2008-04-14 12:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-30 421888]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-03-13 61440]
    "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-11-02 281768]
    "@OnlineArmor GUI"="c:\program files\Tall Emu\Online Armor\oaui.exe" [2010-04-20 6678008]
    "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
    "MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
    "PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
    "PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
    "PD0630 STISvc"="P0630Pin.dll" [2005-06-05 36864]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-30 421888]
    .
    c:\documents and settings\user\Start Menu\Programs\Startup\
    ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
    "{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\TALLEM~1\ONLINE~1\oaevent.dll" [2010-04-20 925688]
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\WINDOWS\\system32\\sessmgr.exe"=
    .
    R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [4/8/2010 7:17 AM 228216]
    R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [4/8/2010 7:17 AM 24440]
    R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [4/8/2010 7:17 AM 29560]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [4/7/2010 11:34 PM 136360]
    R2 OAcat;Online Armor Helper Service;c:\program files\Tall Emu\Online Armor\oacat.exe [4/8/2010 7:17 AM 1284600]
    R2 SvcOnlineArmor;Online Armor;c:\program files\Tall Emu\Online Armor\oasrv.exe [4/8/2010 7:17 AM 3364856]
    S0 cerc6;cerc6; [x]
    S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe --> c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [?]
    S3 P0630VID;Creative WebCam Live!;c:\windows\system32\drivers\P0630Vid.sys [10/28/2010 9:41 AM 91841]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    getPlusHelper REG_MULTI_SZ getPlusHelper
    .
    Contents of the 'Scheduled Tasks' folder
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.safer-networking.org/en/index.html
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    TCP: DhcpNameServer = 192.168.0.1 205.171.3.25
    .
    - - - - ORPHANS REMOVED - - - -
    .
    HKLM-Run-SunJavaUpdateSched - c:\program files\Common Files\Java\Java Update\jusched.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-12-14 12:39
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(448)
    c:\windows\system32\Ati2evxx.dll
    .
    Completion time: 2011-12-14 12:42:51
    ComboFix-quarantined-files.txt 2011-12-14 20:42
    .
    Pre-Run: 126,004,785,152 bytes free
    Post-Run: 126,164,434,944 bytes free
    .
    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
    .
    - - End Of File - - 0185036CB0AB85242BF73B397D4FDFB6



    3. How is the computer now running?


    So far, there's no apparent improvement :P

    Internet Options hasn稚 become accessible, yet.

    The computer痴 still moving quite slowly - if anything, a little slower than before ComboFix. It takes it much longer than usual to do anything, and much longer than usual to reboot.
    (It痴 become markedly slower in the past few days, since loading new programs and performing scans, than it was as a result of whatever problems it has. Maybe the additional slow down is to be expected.)

    I知 still unable to drag and drop highlighted text, in IE.

    I haven稚 tried logging into Safe Mode as Administrator, to see whether it痴 regained access to the Internet. It still had connectivity right after I discovered signs of infection, then mysteriously lost it, for no apparent reason. I知 kind of afraid to log back into that account, yet, for fear that somehow it will negatively affect the other user account, when I log back in.

    Now, when I hover the pointer over Control Panel or My Computer, in the Start menu, it doesn稚 bring up the contents, as it normally does. I have to click on My Computer or Control Panel, for it to bring up a separate Explorer window, with the contents of those.

    I tried running Microsoft Fixit again, after ComboFix, and it still didn't process.


    Something that I hadn't noticed until the last few days, is that Spybot S&D hasn't been giving me notification of changes in a long time. When I change the status of TeaTimer or change the start up menu, it used to give notification.


    Does ComboFix seem to have found and fixed something significant?

  8. #18
    Member
    Join Date
    Nov 2008
    Location
    U.S.
    Posts
    40

    Default

    An additional questions: I've got Windows updates that just came in, waiting to be installed. Shall I install them now?

    (My response to your most recent instructions is below.)

  9. #19
    Emeritus- Malware Team
    Join Date
    Aug 2011
    Posts
    148

    Default

    Hi I_dream_of_Mercury,

    Thanks for the update.

    Please DO NOT process any Windows Updates until your system is confirmed to be clear of infection.

    Scolabar
    Malware Removal University - You too could train to help others

  10. #20
    Emeritus- Malware Team
    Join Date
    Aug 2011
    Posts
    148

    Default

    Hi I_dream_of_Mercury,

    Thank you again for the feedback and log.

    Quote Originally Posted by I_dream_of_Mercury
    The instructions were clear and easy to follow, except that I notice that this info, http://www.techsupportforum.com/foru...ns-490111.html, differs somewhat from this info, http://www.bleepingcomputer.com/forums/topic114351.html , regarding what痴 required in order to disable Spybot S&D.

    By the way, I did try disabling it by the instructions at the second link, and tried again, to run Microsoft Fixit, before running ComboFix, but it still didn稚 process.
    Thank you for the update. However, please can I ask you to simply follow the instructions that I provide. This will avoid any potential problems/confusion and ensure that we reach a conclusion sooner rather than later.

    Quote Originally Posted by I_dream_of_Mercury
    ComboFix was easier to run than I expected.
    Don't be fooled. This is a powerful tool that can do some serious damage to a computer system in the hands of someone other than a trained expert.

    Quote Originally Posted by I_dream_of_Mercury
    The computer痴 still moving quite slowly - if anything, a little slower than before ComboFix. It takes it much longer than usual to do anything, and much longer than usual to reboot.
    This is to be expected initially after the use of ComboFix.

    Quote Originally Posted by I_dream_of_Mercury
    Something that I hadn't noticed until the last few days, is that Spybot S&D hasn't been giving me notification of changes in a long time. When I change the status of TeaTimer or change the start up menu, it used to give notification.
    This is almost certainly because we have disabled TeaTimer for the time being, so that it won't interfere with any of the fixes.

    Again, please remember to read the instructions below carefully before executing and perform the steps, in the order given.
    If you have any questions about or problems executing these instructions, <STOP> do not proceed, post back with the question or problem before going any further.

    Before we proceed please make sure any open programs are closed.

    Step 1:
    ERUNT

    I notice you already have ERUNT installed on your system. Let's use this tool to make a backup of the Registry before we proceed.

    1. Double-click on the ERUNT program desktop icon to launch the program.
    2. Choose a location for the backup. Note: the default location is C:\WINDOWS\ERDNT\DD-MM-YYYY (where DD-MM-YYYY is the date of the backup) which is fine.
    3. under Backup options make sure both of the first two options: System registry and Current user registry are checked.
    4. Click on the Yes button to allow the folder to be created.
      After a short duration the Registry backup is complete! pop-up message will appear.
    5. Now click on OK. A registry backup has now been created.

    < STOP > If you are unable to complete this step successfully, < STOP > do not continue with any fix steps, let me know immediately in your next post!

    Step 2:
    ComboFix - CFScript

    WARNING!
    This script is for THIS user and computer ONLY!
    Using this tool incorrectly could damage your Operating System thereby preventing it from starting again!


    You will not have Internet access when you execute ComboFix. All open windows will need to be closed!

    1. Click on Start > Run.
    2. In the text entry box type:
      • Notepad
    3. Then click on the OK button.
    4. This will open an empty Notepad file.
    5. Copy and Paste the contents of the box below into the Notepad window:
      Code:
      KillAll::
      
      Driver::
      cerc6
    6. Save the file to your Desktop as CFScript.txt
    7. Please disable any Antivirus or Firewall you have active, as shown in this topic. Please close all open application windows.
    8. Drag the CFScript.txt (icon) onto the ComboFix.exe icon as shown in the image below:



      This will cause ComboFix to run again.
      Note: Do Not use your keyboard or mouse click anywhere in the ComboFix window, as this may cause the program to stall or crash!
      Do Not touch your computer when ComboFix is running!
    9. When the program has finished ComboFix will produce a log file called combofix.txt which will automatically open in Notepad.
    10. Please Copy and Paste the entire contents of the combofix.txt file into your next reply.

    ** REMEMBER ** Re-Enable your Antivirus, Anti-Spyware and Firewall programs before reconnecting to the Internet!

    Step 3:
    OTL - Script

    Next we need to run an OTL script.

    Please temporarily disable your Anti-virus real-time protection. If active, it could impact the online scan. Refer to This Howto Topic, if necessary.

    1. Double-click on OTL.exe to launch the program.
    2. Copy and Paste the following code into the textbox. Do not include the word Code.
      Code:
      :OTL
      O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Restrictions present
      O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Restrictions present
      O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Restrictions present
      O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Restrictions present
      O7 - HKU\S-1-5-21-1708537768-839522115-1644491937-1003\Software\Policies\Microsoft\Internet Explorer\Restrictions present
      @Alternate Data Stream - 88 bytes -> C:\Documents and Settings\user\Desktop\avira_antivir_personal_en.exe:SummaryInformation
      @Alternate Data Stream - 104 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34
      [3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
      [152 C:\WINDOWS\System32\dllcache\*.tmp files -> C:\WINDOWS\System32\dllcache\*.tmp -> ]
      [137 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
      
      :Files
      ipconfig /flushdns /c
      
      :Commands
      [PURITY]
      [emptyjava]
      [EMPTYTEMP]
      [RESETHOSTS]
      [CREATERESTOREPOINT]
    3. Then click the Run Fix button at the top.
    4. Click on the OK button.
    5. OTL may ask to reboot the machine. Please do so if asked.
    6. The report should appear in Notepad after the reboot.
    7. Please Copy and Paste the contents of that report into your next reply.

    Step 4:
    Include in Next Post

    1. Did you have any problems carrying out the instructions?
    2. combofix.txt.
    3. OTL.txt.
    4. Is there any improvement in how the computer is now running?


    Scolabar
    --------------------------------------------------------------------------
    No Reply Within 3 Days Will Result In Your Topic Being Closed
    Malware Removal University - You too could train to help others

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •